Home Depot, which confirmed in September it was the victim of a network intrusion potentially compromising the payment-card details of 56 million consumers, late last week acknowledged millions of email addresses also were stolen in the heist. The company said separate files containing 53 million email addresses were compromised but the files did not contain additional payment card information, passwords or other sensitive personal information.
The investigation, stemming from the original event, unearthed some new information in addition to the email disclosure. In a statement, Home Depot said the intrusion originated with a third-party vendor. The vendor’s logon credentials gave the hackers access to the “perimeter” of the DIY home improvement retailer’s network, but did not give them direct access. The company said the thieves then “acquired elevated rights” that enabled them to install custom-built malware on the POS systems of its self-checkout lanes in its North American stores.